AutoSSL renewal problem
I'm having problems since yesterday on one of my servers for SSL renewals. Is there something wrong or is it me ?
I've checked
And after this warning:
And after this warning:
12:15:01 PM Polling for "user""s new certificate for "domain" (order item ID "orderid") "
12:15:05 PM The certificate is not available. (processing)
-
FYI, things were working well last night... I had several domains install a new cert (including hostname requests). It's like Sectigo was watching us post and got with the program. lol j/k But try a manual check and see what you get. Of course it could be just as bad again now, but overnight it was zipping along. (Load changes, I'm sure.) My point is, you CAN get them to go through, just have to retry a few times. Switching to LE is a better use of time though.
The 'Run AutoSSL For All Users' button in WHM doesn't do anything with hostnames/services cert though - or at least doesn't show anything in the logs there for it. The main certificate I am worried about that expires soon is the certificate for my services ('Manage Service SSL Certificates' in WHM) that covers the following : hostname.com cpanel.hostname.com cpcalendars.hostname.com cpcontacts.hostname.com mail.hostname.com webmail.hostname.com whm.hostname.com www.hostname.com0 -
@morrow95 - the hostname certificate is handled through /usr/local/cpanel/bin/checkallsslcerts 0 -
The 'Run AutoSSL For All Users' button in WHM doesn't do anything with hostnames/services cert though
Came here to say what cPRex said ( /usr/local/cpanel/bin/checkallsslcerts ) and that both were doing well last night.0 -
Still received the auto expiration emails this morning for dovecot, exim, cpanel, but when I checked WHM the service ssl cert finally did update and is good till sometime in April now. I can only assume those were checked before the actual cert was installed so tomorrow there shouldn't be any notifications. Just a friendly reminder to those of you that actually had certs expire on you. Turn on notifications in WHM for certs. That way the worst case scenario is you'll have some time to manually install a cert where needed. 0 -
Just a friendly reminder to those of you that actually had certs expire on you. Turn on notifications in WHM for certs. That way the worst case scenario is you'll have some time to manually install a cert where needed.
I see no notification option for a cert expiring. Where are you seeing this? (Service SSL, and non-autoSSL certs, yes, but not autoSSL certs.)0 -
I see no notification option for a cert expiring. Where are you seeing this?
'Manage AutoSSL' in your side menu then click on the 'options' tab.0 -
'Manage AutoSSL' in your side menu then click on the 'options' tab.
Ah, thanks, but I forgot to mention that area as well... I have "ALL" selected for administrators and yet I don't get notices when a cert expires. (Additionally, per docs and my testing, it appears that all this does is enable/disable options in cPanel " Home " Preferences " Contact Information for autoSSL. I have everything enabled, and get notices of installs (off by default but I turned it on to test), but when a cert expires I get no notice. Can you confirm whether expiration notices work for you? @cPRex am I misunderstanding how this should be working?0 -
The same goes for my side, it's been 2 days that I have error 503 or 504 on the order: checkallsslcerts Does Cpanel have any information to give us? Thanks in advance 0 -
WHM >> Contact Manager has "Service SSL Certificate Expires Soon" and "SSL Certificates Expiring" options. @Vandenhole - I don't have anything new to report on my end. 0 -
WHM >> Contact Manager has "Service SSL Certificate Expires Soon" and "SSL Certificates Expiring" options. @Vandenhole - I don't have anything new to report on my end.
It also has "Service SSL Certificate Expiration," which is exactly what I'm wanting, and they work as expected for the service SSL cert. But where is the equivalent for autoSSL certs? That's what I'm talking about. I don't get notified when they expire! Notification options for autoSSL are only the following:- AutoSSL cannot request a certificate because all of the website"s domains have failed DCV (Domain Control Validation). This setting takes effect only when "Notify when AutoSSL cannot request a certificate because all domains on the website have failed DCV (Domain Control Validation)." is enabled in WHM"s "Manage AutoSSL" interface.
- AutoSSL has deferred normal certificate renewal because a domain on the current certificate has failed DCV (Domain Control Validation). This setting takes effect only when "Notify when AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV (Domain Control Validation)." is enabled in WHM"s "Manage AutoSSL" interface.
- AutoSSL has installed a certificate successfully. This setting takes effect only when "Notify when AutoSSL has renewed a certificate successfully." is enabled in WHM"s "Manage AutoSSL" interface.
- AutoSSL has provisioned a new certificate for a dynamic DNS domain.
- AutoSSL has renewed a certificate, but the new certificate lacks at least one domain that the previous certificate secured. This setting takes effect only when "Notify when AutoSSL has renewed a certificate and the new certificate lacks at least one domain that the previous certificate secured." is enabled in WHM"s "Manage AutoSSL" interface.
- AutoSSL has renewed a certificate, but the new certificate lacks one or more of the website"s domains. This setting takes effect only when "Notify when AutoSSL has renewed a certificate and the new certificate lacks one or more of the website"s domains." is enabled in WHM"s "Manage AutoSSL" interface.
- AutoSSL will not secure new domains because a domain on the current certificate has failed DCV (Domain Control Validation), and the certificate is not yet in the renewal period.
0 -
I don't think there is such a warning, currently. The "expiring" warning would start notifying you 25-30 days ahead of time. If you haven't got that message by then, an additional expiration notification likely won't help. 0 -
I don't think there is such a warning, currently. The "expiring" warning would start notifying you 25-30 days ahead of time. If you haven't got that message by then, an additional expiration notification likely won't help.
Sorry, but no, those notifications ARE sent for the service SSL, and I get them. I don't see any setting for a 25-30 day warning notification for autoSSL either in the above list, or the one from docs below, nor is there an autoSSL expiration notice that I can find. About autoSSL Options docs say: "Administrator Notifications You can select from the following notification options for your reseller and WHM users:- Notify the administrator for all AutoSSL events and normal successes.
- Notify the administrator for AutoSSL certificate request failures, warnings, and deferrals.
- Notify the administrator for AutoSSL certificate request failures only.
- Disable AutoSSL administrator notifications.
0 -
At this point, you're getting everything you're supposed to. Could you make a feature request with what all you're looking to see added and I can get that over to the team? 0 -
At this point, you're getting everything you're supposed to. Could you make a feature request with what all you're looking to see added and I can get that over to the team?
Sorry, but am I? I'm not getting autoSSL expiration warnings, nor expiring soon warnings. Where can I look on the server to see the actual current configuration? And I just found the defaults listed on the API page: Note: For reference, the system preconfigures AutoSSL metadata keys to the following values:- The value for clobber_externally_signed defaults to 0.
- The value for notify_autossl_expiry defaults to 1.
- The value for notify_autossl_expiry_coverage defaults to 1.
- The value for notify_autossl_expiry_coverage_user defaults to 1.
- The value for notify_autossl_renewal defaults to 1.
- The value for notify_autossl_renewal_user defaults to 1.
- The value for notify_autossl_renewal_coverage defaults to 1.
- The value for notify_autossl_renewal_coverage_user defaults to 1.
- The value for notify_autossl_renewal_coverage_reduced defaults to 1.
- The value for notify_autossl_renewal_coverage_reduced_user defaults to 1.
- The value for notify_autossl_renewal_uncovered_domains defaults to 1.
- The value for notify_autossl_renewal_uncovered_domains_user defaults to 1.
0 -
I don't have any additional details on my end. Could you make a ticket for this and then we can escalate it as necessary? 0 -
I don't have any additional details on my end. Could you make a ticket for this and then we can escalate it as necessary?
I don't have any domains up for renewal (failure/expiration...) until Feb. Seems like I should wait until then. I don't want to opena ticket without an issue (only asking for feature documentation).0 -
Ticket #94523546 0 -
Thanks! 0 -
Looks to me that there is a bug. I began receiving the hostname warning certificate and checked in WHM, noting that I had Let's Encrypt enabled for auto SSL. Surely, if cPanel doesn't support hostname Let's Encrypt and/or tests aren't going to cPanel, then the following shouldn't happen? [QUOTE]The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request "POST ssl/certificate/whm-license/90-day": We were unable to process your request. Please try again later.
it shouldn't be attempting to do this at all, when Let's Encrypt is enabled - unless cPanel has plans to make the feature available. Switching temporarily to cPanel auto SSL cleared the error and allowed the service SSLs to update.0 -
@ejsolutions that error comes from hostname certificate, and it's renewed by cPanel, nothing to do with AutoSSL. 0 -
I beg to differ (if you read again what I wrote) but I won't argue my case, as it's now renewed and I have other things that need my attention. If my observation isn't accepted then I'm fine with that. ;) 0 -
@ejsolutions - at this point, the hostname certificates are still renewed through Sectigo. Let's Encrypt can only handle domain SSLs. They are also separate tools. You could disable AutoSSL completely and still receive the free hostname certificate. 0 -
At this point, you're getting everything you're supposed to. Could you make a feature request with what all you're looking to see added and I can get that over to the team?
As a followup to the question of AutoSSL (only) cert expiration notifications... I learned via the ticket regarding the Sectigo renewal failures, that this notification is ONLY available via API. (Odd!) Here are the API docs showing it (search notify_autossl_expiry): Update AutoSSL metadata via JSON I have opened a feature request to have it added to WHM. Please up-vote if you agree!0 -
I did see that, got it approved, and added to this week's meeting! 0 -
You might like to address the insistence of AutoSSL trying to renew non-existent subdomains on DNS Only installations. For example: [xxx.xxx.com] The SSL (Secure Sockets Layer) certificate for "exim" on "xxx.xxx.com" will expire in less than 30 days. [xxx.xxx.com] The SSL (Secure Sockets Layer) certificate for "cpanel" on "xxx.xxx.com" will expire in less than 30 days.
Perhaps it's purely down to bad defaults in DNZ Zone creation, during DNS Only installation - I haven't investigated.0 -
That's about Service SSL Certificates, nothing to do with AutoSSL. 0 -
My bad. :| 0
Please sign in to leave a comment.
Comments
89 comments